| Risk Level | Number of Alerts |
|---|---|
|
High
|
2
|
|
Medium
|
9
|
|
Low
|
8
|
|
Informational
|
15
|
|
False Positives:
|
0
|
For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).
|
High |
Open Redirect |
|---|---|
| Description |
Open redirects are one of the OWASP 2010 Top Ten vulnerabilities. This check looks at user-supplied input in query string parameters and POST data to identify where open redirects might be possible. Open redirects occur when an application allows user-supplied input (e.g. https://nottrusted.com) to control an offsite redirect. This is generally a pretty accurate way to find where 301 or 302 redirects could be exploited by spammers or phishing attacks.
For example an attacker could supply a user with the following link: https://example.com/example.php?url=https://malicious.example.com.
|
| URL | http://localhost:3000/redirect?to=https://github.com/juice-shop/juice-shop |
| Method | GET |
| Parameter | to |
| Attack | |
| Evidence | |
| Other Info | The 301 or 302 response to a request for the following URL appeared to contain user input in the location header: http://localhost:3000/redirect?to=https://github.com/juice-shop/juice-shop The user input found was: to=https://github.com/juice-shop/juice-shop The context was: https://github.com/juice-shop/juice-shop |
| Instances | 1 |
| Solution |
To avoid the open redirect vulnerability, parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser. Implement safe redirect functionality that only redirects to relative URI's, or a list of trusted domains
|
| Reference |
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
https://cwe.mitre.org/data/definitions/601.html |
| CWE Id | 601 |
| WASC Id | 38 |
| Plugin Id | 10028 |
|
High |
SQL Injection - SQLite |
|---|---|
| Description |
SQL injection may be possible.
|
| URL | http://localhost:3000/rest/products/search?q=%27%28 |
| Method | GET |
| Parameter | q |
| Attack | '( |
| Evidence | SQLITE_ERROR |
| Other Info | RDBMS [SQLite] likely, given error message regular expression [SQLITE_ERROR] matched by the HTML results. The vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. |
| URL | http://localhost:3000/rest/products/search?q= |
| Method | GET |
| Parameter | q |
| Attack | ' | case randomblob(1000000) when not null then "" else "" end | ' |
| Evidence | The query time is controllable using parameter value [' | case randomblob(1000000) when not null then "" else "" end | '], which caused the request to take [432] milliseconds, parameter value [' | case randomblob(1000000) when not null then "" else "" end | '], which caused the request to take [432] milliseconds, when the original unmodified query with value [] took [13] milliseconds. |
| Other Info | The query time is controllable using parameter value [' | case randomblob(1000000) when not null then "" else "" end | '], which caused the request to take [432] milliseconds, parameter value [' | case randomblob(1000000) when not null then "" else "" end | '], which caused the request to take [432] milliseconds, when the original unmodified query with value [] took [13] milliseconds. |
| Instances | 2 |
| Solution |
Do not trust client side input, even if there is client side validation in place.
In general, type check all data on the server side.
If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'
If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.
If database Stored Procedures can be used, use them.
Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!
Do not create dynamic SQL queries using simple string concatenation.
Escape all data received from the client.
Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.
Apply the principle of least privilege by using the least privileged database user possible.
In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.
Grant the minimum database access that is necessary for the application.
|
| Reference | https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html |
| CWE Id | 89 |
| WASC Id | 19 |
| Plugin Id | 40018 |
|
Medium |
Backup File Disclosure |
|---|---|
| Description |
A backup of the file was disclosed by the web server.
|
| URL | http://localhost:3000/api%20-%20Copy |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api%20-%20Copy |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api%20-%20Copy] |
| URL | http://localhost:3000/api%20-%20Copy%20(2) |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api%20-%20Copy%20(2) |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api%20-%20Copy%20(2)] |
| URL | http://localhost:3000/api%20-%20Copy%20(3) |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api%20-%20Copy%20(3) |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api%20-%20Copy%20(3)] |
| URL | http://localhost:3000/api-backup |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api-backup |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api-backup] |
| URL | http://localhost:3000/api.0 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.0 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.0] |
| URL | http://localhost:3000/api.1 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.1 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.1] |
| URL | http://localhost:3000/api.2 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.2 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.2] |
| URL | http://localhost:3000/api.3 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.3 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.3] |
| URL | http://localhost:3000/api.7z |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.7z |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.7z] |
| URL | http://localhost:3000/api.bac |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.bac |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.bac] |
| URL | http://localhost:3000/api.backup |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.backup |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.backup] |
| URL | http://localhost:3000/api.bak |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.bak |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.bak] |
| URL | http://localhost:3000/api.bz2 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.bz2 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.bz2] |
| URL | http://localhost:3000/api.exe |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.exe |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.exe] |
| URL | http://localhost:3000/api.gz |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.gz |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.gz] |
| URL | http://localhost:3000/api.jar |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.jar |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.jar] |
| URL | http://localhost:3000/api.log |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.log |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.log] |
| URL | http://localhost:3000/api.old |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.old |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.old] |
| URL | http://localhost:3000/api.orig |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.orig |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.orig] |
| URL | http://localhost:3000/api.swp |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.swp |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.swp] |
| URL | http://localhost:3000/api.tar |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.tar |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.tar] |
| URL | http://localhost:3000/api.tmp |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.tmp |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.tmp] |
| URL | http://localhost:3000/api.zip |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.zip |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.zip] |
| URL | http://localhost:3000/api.~bk |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api.~bk |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api.~bk] |
| URL | http://localhost:3000/api_backup |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api_backup |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api_backup] |
| URL | http://localhost:3000/apibackup |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/apibackup |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/apibackup] |
| URL | http://localhost:3000/api~ |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api~ |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/api] is available at [http://localhost:3000/api~] |
| URL | http://localhost:3000/ftp/acquisitions%20-%20Copy%20(2).md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions%20-%20Copy%20(2).md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions%20-%20Copy%20(2).md] |
| URL | http://localhost:3000/ftp/acquisitions%20-%20Copy%20(3).md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions%20-%20Copy%20(3).md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions%20-%20Copy%20(3).md] |
| URL | http://localhost:3000/ftp/acquisitions%20-%20Copy.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions%20-%20Copy.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions%20-%20Copy.md] |
| URL | http://localhost:3000/ftp/acquisitions-backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions-backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions-backup.md] |
| URL | http://localhost:3000/ftp/acquisitions.0.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.0.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.0.md] |
| URL | http://localhost:3000/ftp/acquisitions.1.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.1.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.1.md] |
| URL | http://localhost:3000/ftp/acquisitions.2.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.2.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.2.md] |
| URL | http://localhost:3000/ftp/acquisitions.3.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.3.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.3.md] |
| URL | http://localhost:3000/ftp/acquisitions.7z.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.7z.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.7z.md] |
| URL | http://localhost:3000/ftp/acquisitions.bac.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.bac.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.bac.md] |
| URL | http://localhost:3000/ftp/acquisitions.backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.backup.md] |
| URL | http://localhost:3000/ftp/acquisitions.bak.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.bak.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.bak.md] |
| URL | http://localhost:3000/ftp/acquisitions.bz2.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.bz2.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.bz2.md] |
| URL | http://localhost:3000/ftp/acquisitions.exe.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.exe.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.exe.md] |
| URL | http://localhost:3000/ftp/acquisitions.gz.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.gz.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.gz.md] |
| URL | http://localhost:3000/ftp/acquisitions.jar.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.jar.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.jar.md] |
| URL | http://localhost:3000/ftp/acquisitions.log.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.log.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.log.md] |
| URL | http://localhost:3000/ftp/acquisitions.old.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.old.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.old.md] |
| URL | http://localhost:3000/ftp/acquisitions.orig.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.orig.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.orig.md] |
| URL | http://localhost:3000/ftp/acquisitions.swp.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.swp.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.swp.md] |
| URL | http://localhost:3000/ftp/acquisitions.tar.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.tar.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.tar.md] |
| URL | http://localhost:3000/ftp/acquisitions.tmp.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.tmp.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.tmp.md] |
| URL | http://localhost:3000/ftp/acquisitions.zip.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.zip.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.zip.md] |
| URL | http://localhost:3000/ftp/acquisitions.~bk.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions.~bk.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions.~bk.md] |
| URL | http://localhost:3000/ftp/acquisitions_backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions_backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions_backup.md] |
| URL | http://localhost:3000/ftp/acquisitionsbackup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitionsbackup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitionsbackup.md] |
| URL | http://localhost:3000/ftp/acquisitions~.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/acquisitions~.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/acquisitions~.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted%20-%20Copy%20(2).md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted%20-%20Copy%20(2).md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted%20-%20Copy%20(2).md] |
| URL | http://localhost:3000/ftp/announcement_encrypted%20-%20Copy%20(3).md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted%20-%20Copy%20(3).md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted%20-%20Copy%20(3).md] |
| URL | http://localhost:3000/ftp/announcement_encrypted%20-%20Copy.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted%20-%20Copy.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted%20-%20Copy.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted-backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted-backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted-backup.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.0.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.0.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.0.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.1.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.1.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.1.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.2.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.2.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.2.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.3.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.3.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.3.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.7z.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.7z.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.7z.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.bac.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.bac.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.bac.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.backup.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.bak.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.bak.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.bak.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.bz2.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.bz2.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.bz2.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.exe.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.exe.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.exe.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.gz.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.gz.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.gz.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.jar.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.jar.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.jar.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.log.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.log.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.log.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.old.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.old.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.old.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.orig.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.orig.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.orig.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.swp.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.swp.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.swp.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.tar.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.tar.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.tar.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.tmp.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.tmp.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.tmp.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.zip.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.zip.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.zip.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted.~bk.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted.~bk.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted.~bk.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted_backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted_backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted_backup.md] |
| URL | http://localhost:3000/ftp/announcement_encryptedbackup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encryptedbackup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encryptedbackup.md] |
| URL | http://localhost:3000/ftp/announcement_encrypted~.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/announcement_encrypted~.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/announcement_encrypted~.md] |
| URL | http://localhost:3000/ftp/backupacquisitions.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/backupacquisitions.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/backupacquisitions.md] |
| URL | http://localhost:3000/ftp/backupannouncement_encrypted.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/backupannouncement_encrypted.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/backupannouncement_encrypted.md] |
| URL | http://localhost:3000/ftp/backuplegal.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/backuplegal.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/backuplegal.md] |
| URL | http://localhost:3000/ftp/Copy%20(2)%20of%20acquisitions.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20(2)%20of%20acquisitions.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/Copy%20(2)%20of%20acquisitions.md] |
| URL | http://localhost:3000/ftp/Copy%20(2)%20of%20announcement_encrypted.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20(2)%20of%20announcement_encrypted.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/Copy%20(2)%20of%20announcement_encrypted.md] |
| URL | http://localhost:3000/ftp/Copy%20(2)%20of%20legal.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20(2)%20of%20legal.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/Copy%20(2)%20of%20legal.md] |
| URL | http://localhost:3000/ftp/Copy%20(3)%20of%20acquisitions.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20(3)%20of%20acquisitions.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/Copy%20(3)%20of%20acquisitions.md] |
| URL | http://localhost:3000/ftp/Copy%20(3)%20of%20announcement_encrypted.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20(3)%20of%20announcement_encrypted.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/Copy%20(3)%20of%20announcement_encrypted.md] |
| URL | http://localhost:3000/ftp/Copy%20(3)%20of%20legal.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20(3)%20of%20legal.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/Copy%20(3)%20of%20legal.md] |
| URL | http://localhost:3000/ftp/Copy%20of%20acquisitions.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20of%20acquisitions.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/Copy%20of%20acquisitions.md] |
| URL | http://localhost:3000/ftp/Copy%20of%20announcement_encrypted.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20of%20announcement_encrypted.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/Copy%20of%20announcement_encrypted.md] |
| URL | http://localhost:3000/ftp/Copy%20of%20Copy%20of%20acquisitions.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20of%20Copy%20of%20acquisitions.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/acquisitions.md] is available at [http://localhost:3000/ftp/Copy%20of%20Copy%20of%20acquisitions.md] |
| URL | http://localhost:3000/ftp/Copy%20of%20Copy%20of%20announcement_encrypted.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20of%20Copy%20of%20announcement_encrypted.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/announcement_encrypted.md] is available at [http://localhost:3000/ftp/Copy%20of%20Copy%20of%20announcement_encrypted.md] |
| URL | http://localhost:3000/ftp/Copy%20of%20Copy%20of%20legal.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20of%20Copy%20of%20legal.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/Copy%20of%20Copy%20of%20legal.md] |
| URL | http://localhost:3000/ftp/Copy%20of%20legal.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/Copy%20of%20legal.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/Copy%20of%20legal.md] |
| URL | http://localhost:3000/ftp/legal%20-%20Copy%20(2).md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal%20-%20Copy%20(2).md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal%20-%20Copy%20(2).md] |
| URL | http://localhost:3000/ftp/legal%20-%20Copy%20(3).md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal%20-%20Copy%20(3).md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal%20-%20Copy%20(3).md] |
| URL | http://localhost:3000/ftp/legal%20-%20Copy.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal%20-%20Copy.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal%20-%20Copy.md] |
| URL | http://localhost:3000/ftp/legal-backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal-backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal-backup.md] |
| URL | http://localhost:3000/ftp/legal.0.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.0.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.0.md] |
| URL | http://localhost:3000/ftp/legal.1.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.1.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.1.md] |
| URL | http://localhost:3000/ftp/legal.2.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.2.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.2.md] |
| URL | http://localhost:3000/ftp/legal.3.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.3.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.3.md] |
| URL | http://localhost:3000/ftp/legal.7z.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.7z.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.7z.md] |
| URL | http://localhost:3000/ftp/legal.bac.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.bac.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.bac.md] |
| URL | http://localhost:3000/ftp/legal.backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.backup.md] |
| URL | http://localhost:3000/ftp/legal.bak.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.bak.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.bak.md] |
| URL | http://localhost:3000/ftp/legal.bz2.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.bz2.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.bz2.md] |
| URL | http://localhost:3000/ftp/legal.exe.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.exe.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.exe.md] |
| URL | http://localhost:3000/ftp/legal.gz.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.gz.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.gz.md] |
| URL | http://localhost:3000/ftp/legal.jar.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.jar.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.jar.md] |
| URL | http://localhost:3000/ftp/legal.log.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.log.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.log.md] |
| URL | http://localhost:3000/ftp/legal.old.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.old.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.old.md] |
| URL | http://localhost:3000/ftp/legal.orig.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.orig.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.orig.md] |
| URL | http://localhost:3000/ftp/legal.swp.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.swp.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.swp.md] |
| URL | http://localhost:3000/ftp/legal.tar.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.tar.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.tar.md] |
| URL | http://localhost:3000/ftp/legal.tmp.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.tmp.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.tmp.md] |
| URL | http://localhost:3000/ftp/legal.zip.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.zip.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.zip.md] |
| URL | http://localhost:3000/ftp/legal.~bk.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal.~bk.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal.~bk.md] |
| URL | http://localhost:3000/ftp/legal_backup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal_backup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal_backup.md] |
| URL | http://localhost:3000/ftp/legalbackup.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legalbackup.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legalbackup.md] |
| URL | http://localhost:3000/ftp/legal~.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/legal~.md |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/legal.md] is available at [http://localhost:3000/ftp/legal~.md] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2) |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2) |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_linux_amd_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_linux_amd_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_amd_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_linux_amd_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_linux_arm_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_linux_arm_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_arm_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_linux_arm_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_macos_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_macos_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_macos_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_macos_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_windows_64.exe.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_windows_64.exe.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_windows_64.exe.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(2)/juicy_malware_windows_64.exe.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3) |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3) |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_linux_amd_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_linux_amd_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_amd_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_linux_amd_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_linux_arm_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_linux_arm_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_arm_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_linux_arm_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_macos_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_macos_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_macos_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_macos_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_windows_64.exe.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_windows_64.exe.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_windows_64.exe.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy%20(3)/juicy_malware_windows_64.exe.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_linux_amd_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_linux_amd_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_amd_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_linux_amd_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_linux_arm_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_linux_arm_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_arm_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_linux_arm_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_macos_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_macos_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_macos_64.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_macos_64.url] |
| URL | http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_windows_64.exe.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_windows_64.exe.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_windows_64.exe.url] is available at [http://localhost:3000/ftp/quarantine%20-%20Copy/juicy_malware_windows_64.exe.url] |
| URL | http://localhost:3000/ftp/quarantine-backup |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine-backup |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine-backup] |
| URL | http://localhost:3000/ftp/quarantine-backup/juicy_malware_linux_amd_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine-backup/juicy_malware_linux_amd_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_amd_64.url] is available at [http://localhost:3000/ftp/quarantine-backup/juicy_malware_linux_amd_64.url] |
| URL | http://localhost:3000/ftp/quarantine-backup/juicy_malware_linux_arm_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine-backup/juicy_malware_linux_arm_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_arm_64.url] is available at [http://localhost:3000/ftp/quarantine-backup/juicy_malware_linux_arm_64.url] |
| URL | http://localhost:3000/ftp/quarantine-backup/juicy_malware_macos_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine-backup/juicy_malware_macos_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_macos_64.url] is available at [http://localhost:3000/ftp/quarantine-backup/juicy_malware_macos_64.url] |
| URL | http://localhost:3000/ftp/quarantine-backup/juicy_malware_windows_64.exe.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine-backup/juicy_malware_windows_64.exe.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_windows_64.exe.url] is available at [http://localhost:3000/ftp/quarantine-backup/juicy_malware_windows_64.exe.url] |
| URL | http://localhost:3000/ftp/quarantine.0 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.0 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.0] |
| URL | http://localhost:3000/ftp/quarantine.1 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.1 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.1] |
| URL | http://localhost:3000/ftp/quarantine.2 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.2 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.2] |
| URL | http://localhost:3000/ftp/quarantine.3 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.3 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.3] |
| URL | http://localhost:3000/ftp/quarantine.7z |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.7z |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.7z] |
| URL | http://localhost:3000/ftp/quarantine.bac |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.bac |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.bac] |
| URL | http://localhost:3000/ftp/quarantine.backup |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.backup |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.backup] |
| URL | http://localhost:3000/ftp/quarantine.bak |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.bak |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.bak] |
| URL | http://localhost:3000/ftp/quarantine.bz2 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.bz2 |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.bz2] |
| URL | http://localhost:3000/ftp/quarantine.exe |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.exe |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.exe] |
| URL | http://localhost:3000/ftp/quarantine.gz |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.gz |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.gz] |
| URL | http://localhost:3000/ftp/quarantine.jar |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.jar |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.jar] |
| URL | http://localhost:3000/ftp/quarantine.log |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.log |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.log] |
| URL | http://localhost:3000/ftp/quarantine.old |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.old |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.old] |
| URL | http://localhost:3000/ftp/quarantine.orig |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.orig |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.orig] |
| URL | http://localhost:3000/ftp/quarantine.swp |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.swp |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.swp] |
| URL | http://localhost:3000/ftp/quarantine.tar |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.tar |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.tar] |
| URL | http://localhost:3000/ftp/quarantine.tmp |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.tmp |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.tmp] |
| URL | http://localhost:3000/ftp/quarantine.zip |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.zip |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.zip] |
| URL | http://localhost:3000/ftp/quarantine.~bk |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine.~bk |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine.~bk] |
| URL | http://localhost:3000/ftp/quarantine_backup |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine_backup |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine_backup] |
| URL | http://localhost:3000/ftp/quarantine_backup/juicy_malware_linux_amd_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine_backup/juicy_malware_linux_amd_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_amd_64.url] is available at [http://localhost:3000/ftp/quarantine_backup/juicy_malware_linux_amd_64.url] |
| URL | http://localhost:3000/ftp/quarantine_backup/juicy_malware_linux_arm_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine_backup/juicy_malware_linux_arm_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_arm_64.url] is available at [http://localhost:3000/ftp/quarantine_backup/juicy_malware_linux_arm_64.url] |
| URL | http://localhost:3000/ftp/quarantine_backup/juicy_malware_macos_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine_backup/juicy_malware_macos_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_macos_64.url] is available at [http://localhost:3000/ftp/quarantine_backup/juicy_malware_macos_64.url] |
| URL | http://localhost:3000/ftp/quarantine_backup/juicy_malware_windows_64.exe.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine_backup/juicy_malware_windows_64.exe.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_windows_64.exe.url] is available at [http://localhost:3000/ftp/quarantine_backup/juicy_malware_windows_64.exe.url] |
| URL | http://localhost:3000/ftp/quarantinebackup |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantinebackup |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantinebackup] |
| URL | http://localhost:3000/ftp/quarantinebackup/juicy_malware_linux_amd_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantinebackup/juicy_malware_linux_amd_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_amd_64.url] is available at [http://localhost:3000/ftp/quarantinebackup/juicy_malware_linux_amd_64.url] |
| URL | http://localhost:3000/ftp/quarantinebackup/juicy_malware_linux_arm_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantinebackup/juicy_malware_linux_arm_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_linux_arm_64.url] is available at [http://localhost:3000/ftp/quarantinebackup/juicy_malware_linux_arm_64.url] |
| URL | http://localhost:3000/ftp/quarantinebackup/juicy_malware_macos_64.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantinebackup/juicy_malware_macos_64.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_macos_64.url] is available at [http://localhost:3000/ftp/quarantinebackup/juicy_malware_macos_64.url] |
| URL | http://localhost:3000/ftp/quarantinebackup/juicy_malware_windows_64.exe.url |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantinebackup/juicy_malware_windows_64.exe.url |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine/juicy_malware_windows_64.exe.url] is available at [http://localhost:3000/ftp/quarantinebackup/juicy_malware_windows_64.exe.url] |
| URL | http://localhost:3000/ftp/quarantine~ |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/quarantine~ |
| Evidence | |
| Other Info | A backup of [http://localhost:3000/ftp/quarantine] is available at [http://localhost:3000/ftp/quarantine~] |
| Instances | 174 |
| Solution |
Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server.
|
| Reference |
https://cwe.mitre.org/data/definitions/530.html
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html |
| CWE Id | 530 |
| WASC Id | 34 |
| Plugin Id | 10095 |
|
Medium |
Cross-Domain Misconfiguration |
|---|---|
| Description |
Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.
|
| URL | http://localhost:3000 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/.DS_Store |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/api/Challenges/?name=Score%20Board |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/api/Quantitys/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/i18n/en.json |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/apple_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/apple_pressings.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/artwork2.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/banana_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/eggfruit_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/fan_facemask.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/fruit_press.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/green_smoothie.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/lemon_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/assets/public/images/products/permafrost.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/font-mfizz.woff |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/acquisitions.md |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/announcement_encrypted.md |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/coupons_2013.md.bak |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/eastere.gg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/encrypt.pyc |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/incident-support.kdbx |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/legal.md |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/package.json.bak |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/quarantine |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/quarantine/juicy_malware_linux_amd_64.url |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/quarantine/juicy_malware_linux_arm_64.url |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/quarantine/juicy_malware_macos_64.url |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/quarantine/juicy_malware_windows_64.exe.url |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/ftp/suspicious_errors.yml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/fileServer.js:43:13 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/build/routes/fileServer.js:59:18 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/index.js:280:10 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/index.js:286:9 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/index.js:328:13 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/index.js:365:14 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/index.js:376:14 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/index.js:421:3 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/express/lib/router/layer.js:95:5 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/juice-shop/node_modules/serve-index/index.js:145:39 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/MaterialIcons-Regular.woff2 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/redirect?to=https://github.com/juice-shop/juice-shop |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/rest/admin/application-configuration |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/rest/admin/application-version |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/rest/products/search?q= |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | Access-Control-Allow-Origin: * |
| Other Info | The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. |
| Instances | 224 |
| Solution |
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
|
| Reference | https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy |
| CWE Id | 264 |
| WASC Id | 14 |
| Plugin Id | 10098 |
|
Medium |
ELMAH Information Leak |
|---|---|
| Description |
The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.
|
| URL | http://localhost:3000/elmah.axd |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | |
| Instances | 1 |
| Solution |
Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/
|
| Reference |
https://www.troyhunt.com/aspnet-session-hijacking-with-google/
https://www.nuget.org/packages/elmah https://elmah.github.io/ |
| CWE Id | 94 |
| WASC Id | 14 |
| Plugin Id | 40028 |
|
Medium |
HTTP Only Site |
|---|---|
| Description |
The site is only served under HTTP and not HTTPS.
|
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Failed to connect. ZAP attempted to connect via: https://localhost:3000/rest/2fa/verify |
| Instances | 1 |
| Solution |
Configure your web or application server to use SSL (https).
|
| Reference |
https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
https://letsencrypt.org/ |
| CWE Id | 311 |
| WASC Id | 4 |
| Plugin Id | 10106 |
|
Medium |
Hidden File Found |
|---|---|
| Description |
A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.
|
| URL | http://localhost:3000/._darcs |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | |
| URL | http://localhost:3000/.bzr |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | |
| URL | http://localhost:3000/.DS_Store |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | ds_store |
| URL | http://localhost:3000/.git/config |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | git_dir |
| URL | http://localhost:3000/.hg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | |
| URL | http://localhost:3000/.idea/WebServers.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | idea |
| URL | http://localhost:3000/.php_cs.cache |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | php_cs_cache |
| URL | http://localhost:3000/.ssh/id_dsa |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | keys |
| URL | http://localhost:3000/.ssh/id_rsa |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | keys |
| URL | http://localhost:3000/.svn/entries |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | svn_dir |
| URL | http://localhost:3000/.svn/wc.db |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | svn_dir |
| URL | http://localhost:3000/_framework/blazor.boot.json |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | Blazor This Blazor config file often lists DLLs which in turn may contain credentials or other sensitive details. |
| URL | http://localhost:3000/_wpeprivate/config.json |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | wordpress/WPEngine |
| URL | http://localhost:3000/adminer.php |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | adminer |
| URL | http://localhost:3000/app/etc/local.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | magento_config |
| URL | http://localhost:3000/BitKeeper |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | |
| URL | http://localhost:3000/CHANGELOG.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | drupal |
| URL | http://localhost:3000/composer.json |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | composer |
| URL | http://localhost:3000/composer.lock |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | composer |
| URL | http://localhost:3000/config/database.yml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | rails_database_yml |
| URL | http://localhost:3000/config/databases.yml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | symfony_databases_yml |
| URL | http://localhost:3000/core |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | coredump |
| URL | http://localhost:3000/CVS/root |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | cvs_dir |
| URL | http://localhost:3000/DEADJOE |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | deadjoe |
| URL | http://localhost:3000/filezilla.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | filezilla_xml |
| URL | http://localhost:3000/i.php |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | phpinfo |
| URL | http://localhost:3000/id_dsa |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | keys |
| URL | http://localhost:3000/id_rsa |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | keys |
| URL | http://localhost:3000/info.php |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | phpinfo |
| URL | http://localhost:3000/key.pem |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | keys |
| URL | http://localhost:3000/lfm.php |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | lfm_php |
| URL | http://localhost:3000/myserver.key |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | keys |
| URL | http://localhost:3000/phpinfo.php |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | phpinfo |
| URL | http://localhost:3000/privatekey.key |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | keys |
| URL | http://localhost:3000/server-info |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | apache_server_info |
| URL | http://localhost:3000/server-status |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | apache_server_status |
| URL | http://localhost:3000/server.key |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | keys |
| URL | http://localhost:3000/sftp-config.json |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | sftp_config |
| URL | http://localhost:3000/sitemanager.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | filezilla_xml |
| URL | http://localhost:3000/sites/default/files/.ht.sqlite |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | drupaldb |
| URL | http://localhost:3000/sites/default/private/files/backup_migrate/scheduled/test.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | drupal_backup_migrate |
| URL | http://localhost:3000/test.php |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | phpinfo |
| URL | http://localhost:3000/vb_test.php |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | vb_test |
| URL | http://localhost:3000/vim_settings.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | jetbrains_vim_settings |
| URL | http://localhost:3000/winscp.ini |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | winscp_ini |
| URL | http://localhost:3000/WS_FTP.ini |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 200 OK |
| Other Info | wsftp_ini |
| Instances | 46 |
| Solution |
Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc.
|
| Reference | https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html |
| CWE Id | 538 |
| WASC Id | 13 |
| Plugin Id | 40035 |
|
Medium |
Missing Anti-clickjacking Header |
|---|---|
| Description |
The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.
|
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaSW&sid=n5Uh5L1rIJHfIQX-AAAf |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaVf&sid=LKJ-_FXsBzlh84VKAAAe |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIb_h&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbCf&sid=8JA7uSXPXSVN9717AAAj |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbEf&sid=ZAZ2DKHLWikURXggAAAi |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbj9&sid=ONbMF3vmLX0eRsAkAAAm |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbM7&sid=yQFN1nWRLB5Z9lODAAAk |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIc6l&sid=Q3pj-w4C8cp0jbvyAAAq |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcN1&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcqA&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIctK&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdkf&sid=V8P3esqepqxAaRKtAAA1 |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdPJ&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrITXg&sid=ySzRhkhzWa-HcBHjAAAG |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUFX&sid=8h9tmlUqpLWT1OC8AAAI |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVBz&sid=FLZJf9Qvr74t2QD_AAAK |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVd4&sid=3Wd9Qc6SOt2J_7LcAAAM |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWM1&sid=4yguUaOnGoIw0gbrAAAO |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXQ3&sid=vDm7-i1Nnb-lIU_6AAAQ |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXqY&sid=xyHF1bhg3o751MlvAAAS |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIY_V&sid=Wj1yB4oTTgtC46__AAAa |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYE-&sid=VyIpwimzMp-Rct1CAAAU |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYIQ&sid=kTHRhSsBMYKMdLVZAAAV |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYs4&sid=ZdJIi-VKJ8hF4_viAAAY |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZqH&sid=cQARiR1Qqmjm8lF2AAAc |
| Method | POST |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 27 |
| Solution |
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options |
| CWE Id | 1021 |
| WASC Id | 15 |
| Plugin Id | 10020 |
|
Medium |
Source Code Disclosure - SVN |
|---|---|
| Description |
The source code for the current page was disclosed by the web server.
|
| URL | http://localhost:3000/api |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/.svn/text-base/api.svn-base |
| Evidence | |
| Other Info | The source code for [api] was found at [http://localhost:3000/.svn/text-base/api.svn-base] |
| URL | http://localhost:3000/api/Challenges |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api/.svn/text-base/Challenges.svn-base |
| Evidence | |
| Other Info | The source code for [Challenges] was found at [http://localhost:3000/api/.svn/text-base/Challenges.svn-base] |
| URL | http://localhost:3000/api/Quantitys |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/api/.svn/text-base/Quantitys.svn-base |
| Evidence | |
| Other Info | The source code for [Quantitys] was found at [http://localhost:3000/api/.svn/text-base/Quantitys.svn-base] |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/.svn/text-base/assets.svn-base |
| Evidence | |
| Other Info | The source code for [assets] was found at [http://localhost:3000/.svn/text-base/assets.svn-base] |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/.svn/text-base/i18n.svn-base |
| Evidence | |
| Other Info | The source code for [i18n] was found at [http://localhost:3000/assets/.svn/text-base/i18n.svn-base] |
| URL | http://localhost:3000/assets/i18n/en.json |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/i18n/.svn/text-base/en.json.svn-base |
| Evidence | |
| Other Info | The source code for [en.json] was found at [http://localhost:3000/assets/i18n/.svn/text-base/en.json.svn-base] |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/.svn/text-base/public.svn-base |
| Evidence | |
| Other Info | The source code for [public] was found at [http://localhost:3000/assets/.svn/text-base/public.svn-base] |
| URL | http://localhost:3000/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/.svn/text-base/favicon_js.ico.svn-base |
| Evidence | |
| Other Info | The source code for [favicon_js.ico] was found at [http://localhost:3000/assets/public/.svn/text-base/favicon_js.ico.svn-base] |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/.svn/text-base/images.svn-base |
| Evidence | |
| Other Info | The source code for [images] was found at [http://localhost:3000/assets/public/.svn/text-base/images.svn-base] |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/.svn/text-base/products.svn-base |
| Evidence | |
| Other Info | The source code for [products] was found at [http://localhost:3000/assets/public/images/.svn/text-base/products.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/apple_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/apple_juice.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [apple_juice.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/apple_juice.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/apple_pressings.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/apple_pressings.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [apple_pressings.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/apple_pressings.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/artwork2.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/artwork2.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [artwork2.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/artwork2.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/banana_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/banana_juice.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [banana_juice.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/banana_juice.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/eggfruit_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/eggfruit_juice.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [eggfruit_juice.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/eggfruit_juice.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/fan_facemask.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/fan_facemask.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [fan_facemask.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/fan_facemask.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/fruit_press.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/fruit_press.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [fruit_press.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/fruit_press.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/green_smoothie.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/green_smoothie.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [green_smoothie.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/green_smoothie.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/lemon_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/lemon_juice.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [lemon_juice.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/lemon_juice.jpg.svn-base] |
| URL | http://localhost:3000/assets/public/images/products/permafrost.jpg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/assets/public/images/products/.svn/text-base/permafrost.jpg.svn-base |
| Evidence | |
| Other Info | The source code for [permafrost.jpg] was found at [http://localhost:3000/assets/public/images/products/.svn/text-base/permafrost.jpg.svn-base] |
| URL | http://localhost:3000/font-mfizz.woff |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/.svn/text-base/font-mfizz.woff.svn-base |
| Evidence | |
| Other Info | The source code for [font-mfizz.woff] was found at [http://localhost:3000/.svn/text-base/font-mfizz.woff.svn-base] |
| URL | http://localhost:3000/ftp |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/.svn/text-base/ftp.svn-base |
| Evidence | |
| Other Info | The source code for [ftp] was found at [http://localhost:3000/.svn/text-base/ftp.svn-base] |
| URL | http://localhost:3000/ftp/acquisitions.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/acquisitions.md.svn-base |
| Evidence | |
| Other Info | The source code for [acquisitions.md] was found at [http://localhost:3000/ftp/.svn/text-base/acquisitions.md.svn-base] |
| URL | http://localhost:3000/ftp/announcement_encrypted.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/announcement_encrypted.md.svn-base |
| Evidence | |
| Other Info | The source code for [announcement_encrypted.md] was found at [http://localhost:3000/ftp/.svn/text-base/announcement_encrypted.md.svn-base] |
| URL | http://localhost:3000/ftp/coupons_2013.md.bak |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/coupons_2013.md.bak.svn-base |
| Evidence | |
| Other Info | The source code for [coupons_2013.md.bak] was found at [http://localhost:3000/ftp/.svn/text-base/coupons_2013.md.bak.svn-base] |
| URL | http://localhost:3000/ftp/eastere.gg |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/eastere.gg.svn-base |
| Evidence | |
| Other Info | The source code for [eastere.gg] was found at [http://localhost:3000/ftp/.svn/text-base/eastere.gg.svn-base] |
| URL | http://localhost:3000/ftp/encrypt.pyc |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/encrypt.pyc.svn-base |
| Evidence | |
| Other Info | The source code for [encrypt.pyc] was found at [http://localhost:3000/ftp/.svn/text-base/encrypt.pyc.svn-base] |
| URL | http://localhost:3000/ftp/incident-support.kdbx |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/incident-support.kdbx.svn-base |
| Evidence | |
| Other Info | The source code for [incident-support.kdbx] was found at [http://localhost:3000/ftp/.svn/text-base/incident-support.kdbx.svn-base] |
| URL | http://localhost:3000/ftp/legal.md |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/legal.md.svn-base |
| Evidence | |
| Other Info | The source code for [legal.md] was found at [http://localhost:3000/ftp/.svn/text-base/legal.md.svn-base] |
| URL | http://localhost:3000/ftp/package.json.bak |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/package.json.bak.svn-base |
| Evidence | |
| Other Info | The source code for [package.json.bak] was found at [http://localhost:3000/ftp/.svn/text-base/package.json.bak.svn-base] |
| URL | http://localhost:3000/ftp/quarantine |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/quarantine.svn-base |
| Evidence | |
| Other Info | The source code for [quarantine] was found at [http://localhost:3000/ftp/.svn/text-base/quarantine.svn-base] |
| URL | http://localhost:3000/ftp/suspicious_errors.yml |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/ftp/.svn/text-base/suspicious_errors.yml.svn-base |
| Evidence | |
| Other Info | The source code for [suspicious_errors.yml] was found at [http://localhost:3000/ftp/.svn/text-base/suspicious_errors.yml.svn-base] |
| URL | http://localhost:3000/MaterialIcons-Regular.woff2 |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/.svn/text-base/MaterialIcons-Regular.woff2.svn-base |
| Evidence | |
| Other Info | The source code for [MaterialIcons-Regular.woff2] was found at [http://localhost:3000/.svn/text-base/MaterialIcons-Regular.woff2.svn-base] |
| URL | http://localhost:3000/redirect?to=https://github.com/juice-shop/juice-shop |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/.svn/text-base/redirect.svn-base |
| Evidence | |
| Other Info | The source code for [redirect] was found at [http://localhost:3000/.svn/text-base/redirect.svn-base] |
| URL | http://localhost:3000/rest |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/.svn/text-base/rest.svn-base |
| Evidence | |
| Other Info | The source code for [rest] was found at [http://localhost:3000/.svn/text-base/rest.svn-base] |
| URL | http://localhost:3000/rest/2fa |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/rest/.svn/text-base/2fa.svn-base |
| Evidence | |
| Other Info | The source code for [2fa] was found at [http://localhost:3000/rest/.svn/text-base/2fa.svn-base] |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/rest/2fa/.svn/text-base/verify.svn-base |
| Evidence | |
| Other Info | The source code for [verify] was found at [http://localhost:3000/rest/2fa/.svn/text-base/verify.svn-base] |
| URL | http://localhost:3000/rest/admin |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/rest/.svn/text-base/admin.svn-base |
| Evidence | |
| Other Info | The source code for [admin] was found at [http://localhost:3000/rest/.svn/text-base/admin.svn-base] |
| URL | http://localhost:3000/rest/admin/application-configuration |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/rest/admin/.svn/text-base/application-configuration.svn-base |
| Evidence | |
| Other Info | The source code for [application-configuration] was found at [http://localhost:3000/rest/admin/.svn/text-base/application-configuration.svn-base] |
| URL | http://localhost:3000/rest/admin/application-version |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/rest/admin/.svn/text-base/application-version.svn-base |
| Evidence | |
| Other Info | The source code for [application-version] was found at [http://localhost:3000/rest/admin/.svn/text-base/application-version.svn-base] |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/rest/.svn/text-base/languages.svn-base |
| Evidence | |
| Other Info | The source code for [languages] was found at [http://localhost:3000/rest/.svn/text-base/languages.svn-base] |
| URL | http://localhost:3000/rest/products |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/rest/.svn/text-base/products.svn-base |
| Evidence | |
| Other Info | The source code for [products] was found at [http://localhost:3000/rest/.svn/text-base/products.svn-base] |
| URL | http://localhost:3000/rest/products/search?q= |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/rest/products/.svn/text-base/search.svn-base |
| Evidence | |
| Other Info | The source code for [search] was found at [http://localhost:3000/rest/products/.svn/text-base/search.svn-base] |
| URL | http://localhost:3000/robots.txt |
| Method | GET |
| Parameter | |
| Attack | http://localhost:3000/.svn/text-base/robots.txt.svn-base |
| Evidence | |
| Other Info | The source code for [robots.txt] was found at [http://localhost:3000/.svn/text-base/robots.txt.svn-base] |
| Instances | 44 |
| Solution |
Ensure that SVN metadata files are not deployed to the web server or application server.
|
| Reference |
https://owasp.org/www-community/attacks/Forced_browsing
https://cwe.mitre.org/data/definitions/425.html |
| CWE Id | 541 |
| WASC Id | 34 |
| Plugin Id | 42 |
|
Low |
Full Path Disclosure |
|---|---|
| Description |
The full path of files which might be sensitive has been exposed to the client.
|
| URL | http://localhost:3000/ftp/coupons_2013.md.bak |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | /lib/ |
| Other Info | |
| URL | http://localhost:3000/ftp/eastere.gg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | /lib/ |
| Other Info | |
| URL | http://localhost:3000/ftp/encrypt.pyc |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | /lib/ |
| Other Info | |
| URL | http://localhost:3000/ftp/package.json.bak |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | /lib/ |
| Other Info | |
| URL | http://localhost:3000/ftp/suspicious_errors.yml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | /lib/ |
| Other Info | |
| Instances | 5 |
| Solution |
Disable directory browsing in your web server. Refer to the web server documentation.
|
| Reference | https://owasp.org/www-community/attacks/Full_Path_Disclosure |
| CWE Id | 209 |
| WASC Id | 13 |
| Plugin Id | 110009 |
|
Low |
Private IP Disclosure |
|---|---|
| Description |
A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.
|
| URL | http://localhost:3000/rest/admin/application-configuration |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 192.168.99.100:3000 |
| Other Info | 192.168.99.100:3000 192.168.99.100:4200 |
| Instances | 1 |
| Solution |
Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.
|
| Reference | https://tools.ietf.org/html/rfc1918 |
| CWE Id | 497 |
| WASC Id | 13 |
| Plugin Id | 2 |
|
Low |
X-Content-Type-Options Header Missing |
|---|---|
| Description |
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
|
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIagn&sid=n5Uh5L1rIJHfIQX-AAAf |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaLt |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaM1 |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaqF |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaSZ&sid=n5Uh5L1rIJHfIQX-AAAf |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaut |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaVl&sid=LKJ-_FXsBzlh84VKAAAe |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaxf |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIb_m&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbCk&sid=8JA7uSXPXSVN9717AAAj |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbjB&sid=ONbMF3vmLX0eRsAkAAAm |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbMA&sid=yQFN1nWRLB5Z9lODAAAk |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbqZ |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbSU |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbsz |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbwG |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIc6n&sid=Q3pj-w4C8cp0jbvyAAAq |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcqD&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcRi |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcvO |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcY5 |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIczh |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIczO |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrId15 |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdkh&sid=V8P3esqepqxAaRKtAAA1 |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdPM&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrU&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdSn |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdsn&sid=V8P3esqepqxAaRKtAAA1 |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrITSc |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrITXi&sid=ySzRhkhzWa-HcBHjAAAG |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUCU |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUFZ&sid=8h9tmlUqpLWT1OC8AAAI |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUJ7&sid=8h9tmlUqpLWT1OC8AAAI |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIV7E |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVB_&sid=FLZJf9Qvr74t2QD_AAAK |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVd7&sid=3Wd9Qc6SOt2J_7LcAAAM |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVFT&sid=FLZJf9Qvr74t2QD_AAAK |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIViN&sid=3Wd9Qc6SOt2J_7LcAAAM |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVYY |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWDS |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWM5&sid=4yguUaOnGoIw0gbrAAAO |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWSK&sid=4yguUaOnGoIw0gbrAAAO |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXJM |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXnJ |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXQ5&sid=vDm7-i1Nnb-lIU_6AAAQ |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXqa&sid=xyHF1bhg3o751MlvAAAS |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXti&sid=xyHF1bhg3o751MlvAAAS |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXTQ&sid=vDm7-i1Nnb-lIU_6AAAQ |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIY_X&sid=Wj1yB4oTTgtC46__AAAa |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYAb |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYDG |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYF0&sid=VyIpwimzMp-Rct1CAAAU |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYIT&sid=kTHRhSsBMYKMdLVZAAAV |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYs7&sid=ZdJIi-VKJ8hF4_viAAAY |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYTq&sid=VyIpwimzMp-Rct1CAAAU |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYwC |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYwj&sid=ZdJIi-VKJ8hF4_viAAAY |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYYs |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZ7l&sid=Wj1yB4oTTgtC46__AAAa |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZkO |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZqJ&sid=cQARiR1Qqmjm8lF2AAAc |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZt4&sid=cQARiR1Qqmjm8lF2AAAc |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaSW&sid=n5Uh5L1rIJHfIQX-AAAf |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaVf&sid=LKJ-_FXsBzlh84VKAAAe |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIb_h&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbCf&sid=8JA7uSXPXSVN9717AAAj |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbEf&sid=ZAZ2DKHLWikURXggAAAi |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbj9&sid=ONbMF3vmLX0eRsAkAAAm |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbM7&sid=yQFN1nWRLB5Z9lODAAAk |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIc6l&sid=Q3pj-w4C8cp0jbvyAAAq |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcN1&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcqA&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIctK&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdkf&sid=V8P3esqepqxAaRKtAAA1 |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdPJ&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrITXg&sid=ySzRhkhzWa-HcBHjAAAG |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUFX&sid=8h9tmlUqpLWT1OC8AAAI |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVBz&sid=FLZJf9Qvr74t2QD_AAAK |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVd4&sid=3Wd9Qc6SOt2J_7LcAAAM |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWM1&sid=4yguUaOnGoIw0gbrAAAO |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXQ3&sid=vDm7-i1Nnb-lIU_6AAAQ |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXqY&sid=xyHF1bhg3o751MlvAAAS |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIY_V&sid=Wj1yB4oTTgtC46__AAAa |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYE-&sid=VyIpwimzMp-Rct1CAAAU |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYIQ&sid=kTHRhSsBMYKMdLVZAAAV |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYs4&sid=ZdJIi-VKJ8hF4_viAAAY |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZqH&sid=cQARiR1Qqmjm8lF2AAAc |
| Method | POST |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info | This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses. |
| Instances | 92 |
| Solution |
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
|
| Reference |
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
https://owasp.org/www-community/Security_Headers |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10021 |
|
Informational |
.env Information Leak |
|---|---|
| Description |
One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information.
|
| URL | http://localhost:3000/api/Challenges/.env |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 401 Unauthorized |
| Other Info | Based on response status code the .env file may be protected by an authentication or authorization mechanism. |
| URL | http://localhost:3000/api/Quantitys/.env |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 403 Forbidden |
| Other Info | Based on response status code the .env file may be protected by an authentication or authorization mechanism. |
| URL | http://localhost:3000/ftp/.env |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 403 Forbidden |
| Other Info | Based on response status code the .env file may be protected by an authentication or authorization mechanism. |
| Instances | 3 |
| Solution |
Ensure the .env file is not accessible.
|
| Reference |
https://www.google.com/search?q=db_password+filetype%3Aenv
https://mobile.twitter.com/svblxyz/status/1045013939904532482 |
| CWE Id | 215 |
| WASC Id | 13 |
| Plugin Id | 40034 |
|
Informational |
.htaccess Information Leak |
|---|---|
| Description |
htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.
|
| URL | http://localhost:3000/api/Challenges/.htaccess |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 401 Unauthorized |
| Other Info | Based on response status code htaccess file may be protected by an authentication or authorization mechanism. |
| URL | http://localhost:3000/api/Quantitys/.htaccess |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 403 Forbidden |
| Other Info | Based on response status code htaccess file may be protected by an authentication or authorization mechanism. |
| URL | http://localhost:3000/ftp/.htaccess |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 403 Forbidden |
| Other Info | Based on response status code htaccess file may be protected by an authentication or authorization mechanism. |
| Instances | 3 |
| Solution |
Ensure the .htaccess file is not accessible.
|
| Reference |
https://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess
https://httpd.apache.org/docs/2.4/howto/htaccess.html |
| CWE Id | 94 |
| WASC Id | 14 |
| Plugin Id | 40032 |
|
Informational |
Base64 Disclosure |
|---|---|
| Description |
Base64 encoded data was disclosed by the application/web server. Note: in the interests of performance not all base64 strings in the response were analyzed individually, the entire response should be looked at by the analyst/security team/developer(s).
|
| URL | http://localhost:3000/ftp |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAABGdBTUEAALGPC/xhBQAAAWtQTFRFAAAA/PPQ9Nhc2q402qQ12qs2/PTX2pg12p81+/LM89NE9dto2q82+/fp2rM22qY39d6U+/bo2qo2/frx/vz32q812qs12qE279SU8c4w9NZP+/LK//367s9y7s925cp0/vzw9t92//342po2/vz25s1579B6+OSO2bQ0/v799NyT8tE79dld8Msm+OrC/vzx79KA2IYs7s6I9d6R4cJe9+OF/PLI/fry79OF/v30//328tWB89RJ8c9p8c0u9eCf//7+9txs6sts5Mdr+++5+u2z/vrv+/fq6cFz8dBs8tA57cpq+OaU9uGs27Y8//799NdX/PbY9uB89unJ//z14sNf+emh+emk+vDc+uys9+OL8dJy89NH+eic8tN5+OaV+OWR9N2n9dtl9t529+KF9+GB9Nue9NdU8tR/9t5y89qW9dpj89iO89eG/vvu2pQ12Y4z/vzy2Ict/vvv48dr/vzz4sNg///+2Igty3PqwQAAAAF0Uk5TAEDm2GYAAACtSURBVBjTY2AgA2iYlJWVhfohBPg0yx38y92dS0pKVOVBAqIi6sb2vsWWpfrFeTI8QAEhYQEta28nCwM1OVleZqCAmKCEkUdwYWmhQnFeOStQgL9cySqkNNDHVJGbiY0FKCCuYuYSGRsV5KgjxcXIARRQNncNj09JTgqw0ZbkZAcK5LuFJaRmZqfHeNnpSucDBQoiEtOycnIz4qI9bfUKQA6pKKqAgqIKQyK8BgAZ5yfODmnHrQAAAABJRU5ErkJggg== |
| Other Info | �PNG IHDR (-S gAMA ���a kPLTE �����\ڮ4ڤ5ګ6���ژ5ڟ5�����D��hگ6���ڳ6ڦ7�ޔ���ڪ6������گ5ګ5ڡ6�Ԕ��0��O��������r��v��t�����v���ښ6�����y��z��ٴ4����ܓ��;��]��&�������Ҁ؆,�Έ�ޑ��^���������Ӆ�������Ձ��I��i��.��������l��l��k������������s��l��9��j����۶<�����W�����|��������_�������������r��G����y�����ݧ��e��v�����۞��T����r�ږ��c�؎�׆���ڔ5َ3���؇-�����k�����`���؈-�s�� tRNS @��f �IDAT�c` h������!�4���ݝKJJT�A�"����Ŗ���y2<@!a-ko'59Y^f������Gpai�Bq^9+P��\�*�4��T����( �b��#���P6w �OIN �і�d 仅%�ff��x��J� "Ӳrr3�=m� @�(���� C"� �'�iǭ IEND�B`� |
| URL | http://localhost:3000/ftp/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAABGdBTUEAALGPC/xhBQAAAWtQTFRFAAAA/PPQ9Nhc2q402qQ12qs2/PTX2pg12p81+/LM89NE9dto2q82+/fp2rM22qY39d6U+/bo2qo2/frx/vz32q812qs12qE279SU8c4w9NZP+/LK//367s9y7s925cp0/vzw9t92//342po2/vz25s1579B6+OSO2bQ0/v799NyT8tE79dld8Msm+OrC/vzx79KA2IYs7s6I9d6R4cJe9+OF/PLI/fry79OF/v30//328tWB89RJ8c9p8c0u9eCf//7+9txs6sts5Mdr+++5+u2z/vrv+/fq6cFz8dBs8tA57cpq+OaU9uGs27Y8//799NdX/PbY9uB89unJ//z14sNf+emh+emk+vDc+uys9+OL8dJy89NH+eic8tN5+OaV+OWR9N2n9dtl9t529+KF9+GB9Nue9NdU8tR/9t5y89qW9dpj89iO89eG/vvu2pQ12Y4z/vzy2Ict/vvv48dr/vzz4sNg///+2Igty3PqwQAAAAF0Uk5TAEDm2GYAAACtSURBVBjTY2AgA2iYlJWVhfohBPg0yx38y92dS0pKVOVBAqIi6sb2vsWWpfrFeTI8QAEhYQEta28nCwM1OVleZqCAmKCEkUdwYWmhQnFeOStQgL9cySqkNNDHVJGbiY0FKCCuYuYSGRsV5KgjxcXIARRQNncNj09JTgqw0ZbkZAcK5LuFJaRmZqfHeNnpSucDBQoiEtOycnIz4qI9bfUKQA6pKKqAgqIKQyK8BgAZ5yfODmnHrQAAAABJRU5ErkJggg== |
| Other Info | �PNG IHDR (-S gAMA ���a kPLTE �����\ڮ4ڤ5ګ6���ژ5ڟ5�����D��hگ6���ڳ6ڦ7�ޔ���ڪ6������گ5ګ5ڡ6�Ԕ��0��O��������r��v��t�����v���ښ6�����y��z��ٴ4����ܓ��;��]��&�������Ҁ؆,�Έ�ޑ��^���������Ӆ�������Ձ��I��i��.��������l��l��k������������s��l��9��j����۶<�����W�����|��������_�������������r��G����y�����ݧ��e��v�����۞��T����r�ږ��c�؎�׆���ڔ5َ3���؇-�����k�����`���؈-�s�� tRNS @��f �IDAT�c` h������!�4���ݝKJJT�A�"����Ŗ���y2<@!a-ko'59Y^f������Gpai�Bq^9+P��\�*�4��T����( �b��#���P6w �OIN �і�d 仅%�ff��x��J� "Ӳrr3�=m� @�(���� C"� �'�iǭ IEND�B`� |
| URL | http://localhost:3000/ftp/quarantine |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAABGdBTUEAALGPC/xhBQAAAWtQTFRFAAAA/PPQ9Nhc2q402qQ12qs2/PTX2pg12p81+/LM89NE9dto2q82+/fp2rM22qY39d6U+/bo2qo2/frx/vz32q812qs12qE279SU8c4w9NZP+/LK//367s9y7s925cp0/vzw9t92//342po2/vz25s1579B6+OSO2bQ0/v799NyT8tE79dld8Msm+OrC/vzx79KA2IYs7s6I9d6R4cJe9+OF/PLI/fry79OF/v30//328tWB89RJ8c9p8c0u9eCf//7+9txs6sts5Mdr+++5+u2z/vrv+/fq6cFz8dBs8tA57cpq+OaU9uGs27Y8//799NdX/PbY9uB89unJ//z14sNf+emh+emk+vDc+uys9+OL8dJy89NH+eic8tN5+OaV+OWR9N2n9dtl9t529+KF9+GB9Nue9NdU8tR/9t5y89qW9dpj89iO89eG/vvu2pQ12Y4z/vzy2Ict/vvv48dr/vzz4sNg///+2Igty3PqwQAAAAF0Uk5TAEDm2GYAAACtSURBVBjTY2AgA2iYlJWVhfohBPg0yx38y92dS0pKVOVBAqIi6sb2vsWWpfrFeTI8QAEhYQEta28nCwM1OVleZqCAmKCEkUdwYWmhQnFeOStQgL9cySqkNNDHVJGbiY0FKCCuYuYSGRsV5KgjxcXIARRQNncNj09JTgqw0ZbkZAcK5LuFJaRmZqfHeNnpSucDBQoiEtOycnIz4qI9bfUKQA6pKKqAgqIKQyK8BgAZ5yfODmnHrQAAAABJRU5ErkJggg== |
| Other Info | �PNG IHDR (-S gAMA ���a kPLTE �����\ڮ4ڤ5ګ6���ژ5ڟ5�����D��hگ6���ڳ6ڦ7�ޔ���ڪ6������گ5ګ5ڡ6�Ԕ��0��O��������r��v��t�����v���ښ6�����y��z��ٴ4����ܓ��;��]��&�������Ҁ؆,�Έ�ޑ��^���������Ӆ�������Ձ��I��i��.��������l��l��k������������s��l��9��j����۶<�����W�����|��������_�������������r��G����y�����ݧ��e��v�����۞��T����r�ږ��c�؎�׆���ڔ5َ3���؇-�����k�����`���؈-�s�� tRNS @��f �IDAT�c` h������!�4���ݝKJJT�A�"����Ŗ���y2<@!a-ko'59Y^f������Gpai�Bq^9+P��\�*�4��T����( �b��#���P6w �OIN �і�d 仅%�ff��x��J� "Ӳrr3�=m� @�(���� C"� �'�iǭ IEND�B`� |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9 |
| Other Info | {"typ":"JWT","alg":"RS256"} |
| Instances | 4 |
| Solution |
Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.
|
| Reference | https://projects.webappsec.org/w/page/13246936/Information%20Leakage |
| CWE Id | 319 |
| WASC Id | 13 |
| Plugin Id | 10094 |
|
Informational |
Cookie Slack Detector |
|---|---|
| Description |
Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.
|
| URL | http://localhost:3000/assets/public/favicon_js.ico |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/apple_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/apple_pressings.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/artwork2.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/banana_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/eggfruit_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/fan_facemask.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/fruit_press.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/green_smoothie.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/lemon_juice.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/assets/public/images/products/permafrost.jpg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/font-mfizz.woff |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: cookieconsent_status,welcomebanner_status,language |
| URL | http://localhost:3000/rest/admin/application-configuration |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: cookieconsent_status,language |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: language |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: These cookies did NOT affect the response: welcomebanner_status,language |
| Instances | 15 |
| Solution | |
| Reference | https://cwe.mitre.org/data/definitions/205.html |
| CWE Id | 205 |
| WASC Id | 45 |
| Plugin Id | 90027 |
|
Informational |
Non-Storable Content |
|---|---|
| Description |
The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance.
|
| URL | http://localhost:3000/api/Challenges/?name=Score%20Board |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 304 |
| Other Info | |
| URL | http://localhost:3000/api/Quantitys/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 304 |
| Other Info | |
| URL | http://localhost:3000/ftp |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/ftp/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/ftp/coupons_2013.md.bak |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/ftp/eastere.gg |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/ftp/encrypt.pyc |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/ftp/package.json.bak |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/ftp/quarantine |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/ftp/suspicious_errors.yml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/redirect?to=https://github.com/juice-shop/juice-shop |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 302 |
| Other Info | |
| URL | http://localhost:3000/rest/admin/application-configuration |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 304 |
| Other Info | |
| URL | http://localhost:3000/rest/admin/application-version |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 304 |
| Other Info | |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 304 |
| Other Info | |
| URL | http://localhost:3000/rest/products/search?q= |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 304 |
| Other Info | |
| URL | http://localhost:3000/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | authorization: |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIb1C&sid=ZAZ2DKHLWikURXggAAAi |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 400 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=3Wd9Qc6SOt2J_7LcAAAM |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=4yguUaOnGoIw0gbrAAAO |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=8h9tmlUqpLWT1OC8AAAI |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=8JA7uSXPXSVN9717AAAj |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=cQARiR1Qqmjm8lF2AAAc |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=FLZJf9Qvr74t2QD_AAAK |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=kTHRhSsBMYKMdLVZAAAV |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=LKJ-_FXsBzlh84VKAAAe |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=n5Uh5L1rIJHfIQX-AAAf |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=ONbMF3vmLX0eRsAkAAAm |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=Q3pj-w4C8cp0jbvyAAAq |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=V8P3esqepqxAaRKtAAA1 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=vDm7-i1Nnb-lIU_6AAAQ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=VyIpwimzMp-Rct1CAAAU |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=Wj1yB4oTTgtC46__AAAa |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=xyHF1bhg3o751MlvAAAS |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=yQFN1nWRLB5Z9lODAAAk |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=ySzRhkhzWa-HcBHjAAAG |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=ZAZ2DKHLWikURXggAAAi |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 400 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=ZdJIi-VKJ8hF4_viAAAY |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 101 |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIb18&sid=ZAZ2DKHLWikURXggAAAi |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | 400 |
| Other Info | |
| Instances | 42 |
| Solution |
The content may be marked as storable by ensuring that the following conditions are satisfied:
The request method must be understood by the cache and defined as being cacheable ("GET", "HEAD", and "POST" are currently defined as cacheable)
The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)
The "no-store" cache directive must not appear in the request or response header fields
For caching by "shared" caches such as "proxy" caches, the "private" response directive must not appear in the response
For caching by "shared" caches such as "proxy" caches, the "Authorization" header field must not appear in the request, unless the response explicitly allows it (using one of the "must-revalidate", "public", or "s-maxage" Cache-Control response directives)
In addition to the conditions above, at least one of the following conditions must also be satisfied by the response:
It must contain an "Expires" header field
It must contain a "max-age" response directive
For "shared" caches such as "proxy" caches, it must contain a "s-maxage" response directive
It must contain a "Cache Control Extension" that allows it to be cached
It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501).
|
| Reference |
https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231 https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html |
| CWE Id | 524 |
| WASC Id | 13 |
| Plugin Id | 10049 |
|
Informational |
Session Management Response Identified |
|---|---|
| Description |
The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.
|
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMTk0Mzh9.CwoN9gfHUuEnqnYgOdtG7cgl3lSE2Dg1D0iFdqXp5im5tmUtDgtH2-LY8QNW52NPQ-96t1GOLx51Oq0tqw4mspEEojLijC37COdB6rB-VuNqAgnFzBTiNn1Rd3J7T0KE1ti9UHEIx602JR5q-ZS3uRsAkKT43U82VqgEJn0FzMM |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMTk3Mzl9.iPqpbHE9GabhL3dY25IhyKZ-u8GjUUrgbB9cYuaA7jM1HgZXYrnJtLp0KNr4q65M33G3hO0dF-YnmsFfwKS26n5h4lKB-py7Pg4VfVMuZDjhXwxFf1dptEnZXdmawNm_lEtGknZeXWzVBJzkmQoE1IdxIK8Ye5Hc0g8jK4io1k4 |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjA4NDF9.mBiDGCx8qBeKxbaccVtnnGdZYSr3myHqnMQvarSly4_MWtsc7Ojda_cew5uIIsM5CPECEe5WlYVpuq4kChqj3037lbH3PNTos8ieAnnRDpXGsIo_xaPTt_Ek5CMbkhWgHLUHQrP5GFj1Z1wmbOJjf_RnoJRWGA37F6k_GUE71ro |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjAwNDB9.OnXSUUEGb9d31NKv_7HKBbgedrLFOpDSTbhuX1k7Igv5KNZDO8CPtRsnbA-W6a5QiAO0N4NBEQ5ba1ideRwR5RrCvtGPcFqYF_jt0bzCrz_3_NgvoMDKAI-gpEMJWU7aD9lXvSYRG3rJefbPO7H431xMYvO22rlwX_nGps9eQiw |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjE0NTV9.Tp7tAZJ8bIUBcJRUjTz94rxIQSx7_1Wgmp_JZeAzpxU0I50NgqzMlmO9kL5FRDikyNv73bJ5aX0SMzwE-RuKeEEw9i5ho3m31DyovajIaRXz2PiPUq4ZZ-srN7aXI_gOdvVvdICQLP_x94m-j9YeVcTqAcl3IS4ooQlS0fRmcXI |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjE3NTZ9.Lo1RESLfy020hHdeTsnAdN-Yg0RUqMCFSlK8ZgDRr8B9ls2YwrAk4vadeCLrmIRhe3z0jzlb1WhrikZCkqTldxz1mtV2Vp2QdwD9-hPMzw8Nf6kL3YVxQlyy4WHFpuDyKPK0fiQ9O-gIrjfMcXS0nkjp371wX6Y0uOmQXWOokBQ |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjExNDR9.e9r4vN5R4fE4Ohjzf1Tlz4MAy6DK0mtdeaJB-TmQaqN0aaj2K-nl6hzHWxxlbZ7ZivvR9eg-uDx3PHKeWkolgqt3TD_Mq1MoiX3EM8JJj9gOF1-7fGFWmoaJO2SahvnIbc9EAinMTJxCGPYet6iFjX2pZzBc0KUHPjgOAu6_Z6c |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjI0MDB9.DR5X0GB2wGXzMbE9oIyNxUJs2-sa_XUQh99o3q_rGy9-xKutDWIfyASsRo-XoDunrLANcTWoin4Go2zO3ArUzgDF9T9BOzHsSW_x6UahCO-1LlSh6OjG9QvbP7HcIaAlSQznJqMgvmnwhLNnEdwluUPNGfpHaTLl6AXZUTyd_Pw |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjI3MTB9.ORF9vOG4qlSwb00t533qSDZ02Re8_6lhGEaxRdttakiZVruLp-eu9Fxwl6jwOjjPkwVk-I3xOmKBXTNMJq3GMoeqJI9RnSD8euBRi6FajypjxyBu6S0MJzzkvr6w-xl8TRFeCWMyJS9TcDFpgdEYq6239_D_pznNKI9trVobAjI |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjIwOTZ9.xPzvHg4kdSbaPLf3Q9ggV1a3ttgcxjsgYCVuSMziKLRQfCjlyuS93i3aYOrh_jf-ZLukxxWWw-16vAIIUC_8cBXv92JQ0uGJBrRRVVWAAkDHD2DZny1jtpOj7D03o-k1A9yxpRqvYZhrPC2eCZ_wIe8xrqsLGm3uPsLRPdSDNRM |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjM2MjF9.vSnBE2mhG3Djc4N4W8XdPHdmEvslMSIEqaVv091DKdCLaSAtQA0EG27xnN3jiAm4gbGwpzyFDpeuER7fpfK8wQ6Rj9LHnLRtPvphL0w1dS9EXDyZGJPkXpZkKCcy_viWAzf4K95sYAa9YGlYbGrLSQOgoRY0fLwvkkYEzhRBA1c |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjMwMTB9.pF4-L8B2rNT-Nc6rqSrwyF6aS4v9YwWCYhp6ihbS684IfRdJv4nQQqhaz36uNZ3LJTCTjnyrRUgSsV25-vxW9cxrkNrRtG-ZaAWqo5cZ-wC25PoxEffllLA063kA8346advvpdRRfcpYo81BZnqp543qEDSbsi8LIqgUj10lkmU |
| Other Info | json:authentication.token |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | authentication.token |
| Attack | |
| Evidence | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjMsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0QG1haWwuY29tIiwicGFzc3dvcmQiOiJhZjg4YTBhZTY0MTU4OWI5MDhmYThiMzFmMGZjZjZlMSIsInJvbGUiOiJjdXN0b21lciIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvZGVmYXVsdC5zdmciLCJ0b3RwU2VjcmV0IjoiTlVSVU1JQ1lIWVlDRTZLSyIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI3OjA4LjIxMVoiLCJ1cGRhdGVkQXQiOiIyMDI1LTA2LTE1VDIwOjI5OjEyLjczMloiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE3NTAwMjMzMTB9.cq7twkxX-JAFNSYfbB9SBD2-6fSK25mHLwCL1wb4o1DGln4kGPmODJKWQYAt1JkS1AQnLva1ZPHPjHEM6c5xNhFTIanks2QLUDX7ByVggzZGG7_Uie7QFVxMdyHDF9XKcxHoJEAxQYub7cWRMKyk8wpOE1uNrHgSvm80A-szQ4M |
| Other Info | json:authentication.token |
| Instances | 13 |
| Solution |
This is an informational alert rather than a vulnerability and so there is nothing to fix.
|
| Reference | https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id |
| CWE Id | |
| WASC Id | |
| Plugin Id | 10112 |
|
Informational |
Storable and Cacheable Content |
|---|---|
| Description |
The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.
|
| URL | http://localhost:3000/api/Challenges/?name=Score%20Board |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/api/Quantitys/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/rest/admin/application-configuration |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/rest/admin/application-version |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/rest/products/search?q= |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIagn&sid=n5Uh5L1rIJHfIQX-AAAf |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaLt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaM1 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaqF |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaSZ&sid=n5Uh5L1rIJHfIQX-AAAf |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaut |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaVl&sid=LKJ-_FXsBzlh84VKAAAe |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaxf |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIb_m&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbCk&sid=8JA7uSXPXSVN9717AAAj |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbjB&sid=ONbMF3vmLX0eRsAkAAAm |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbMA&sid=yQFN1nWRLB5Z9lODAAAk |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbqZ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbSU |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbsz |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbwG |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIc6n&sid=Q3pj-w4C8cp0jbvyAAAq |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcqD&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcRi |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcvO |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcY5 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIczh |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIczO |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrId15 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdkh&sid=V8P3esqepqxAaRKtAAA1 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdPM&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrU&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdSn |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdsn&sid=V8P3esqepqxAaRKtAAA1 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrITSc |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrITXi&sid=ySzRhkhzWa-HcBHjAAAG |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUCU |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUFZ&sid=8h9tmlUqpLWT1OC8AAAI |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUJ7&sid=8h9tmlUqpLWT1OC8AAAI |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIV7E |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVB_&sid=FLZJf9Qvr74t2QD_AAAK |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVd7&sid=3Wd9Qc6SOt2J_7LcAAAM |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVFT&sid=FLZJf9Qvr74t2QD_AAAK |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIViN&sid=3Wd9Qc6SOt2J_7LcAAAM |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVYY |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWDS |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWM5&sid=4yguUaOnGoIw0gbrAAAO |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWSK&sid=4yguUaOnGoIw0gbrAAAO |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXJM |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXnJ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXQ5&sid=vDm7-i1Nnb-lIU_6AAAQ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXqa&sid=xyHF1bhg3o751MlvAAAS |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXti&sid=xyHF1bhg3o751MlvAAAS |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXTQ&sid=vDm7-i1Nnb-lIU_6AAAQ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIY_X&sid=Wj1yB4oTTgtC46__AAAa |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYAb |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYDG |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYF0&sid=VyIpwimzMp-Rct1CAAAU |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYIT&sid=kTHRhSsBMYKMdLVZAAAV |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYs7&sid=ZdJIi-VKJ8hF4_viAAAY |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYTq&sid=VyIpwimzMp-Rct1CAAAU |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYwC |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYwj&sid=ZdJIi-VKJ8hF4_viAAAY |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYYs |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZ7l&sid=Wj1yB4oTTgtC46__AAAa |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZkO |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZqJ&sid=cQARiR1Qqmjm8lF2AAAc |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZt4&sid=cQARiR1Qqmjm8lF2AAAc |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaSW&sid=n5Uh5L1rIJHfIQX-AAAf |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIaVf&sid=LKJ-_FXsBzlh84VKAAAe |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIb_h&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbCf&sid=8JA7uSXPXSVN9717AAAj |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbEf&sid=ZAZ2DKHLWikURXggAAAi |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbj9&sid=ONbMF3vmLX0eRsAkAAAm |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIbM7&sid=yQFN1nWRLB5Z9lODAAAk |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIc6l&sid=Q3pj-w4C8cp0jbvyAAAq |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcN1&sid=OVMXjcsEKKnJ18pJAAAp |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIcqA&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIctK&sid=Hce6tw7w2cu2QuvNAAAu |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdkf&sid=V8P3esqepqxAaRKtAAA1 |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdPJ&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrITXg&sid=ySzRhkhzWa-HcBHjAAAG |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIUFX&sid=8h9tmlUqpLWT1OC8AAAI |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVBz&sid=FLZJf9Qvr74t2QD_AAAK |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIVd4&sid=3Wd9Qc6SOt2J_7LcAAAM |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIWM1&sid=4yguUaOnGoIw0gbrAAAO |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXQ3&sid=vDm7-i1Nnb-lIU_6AAAQ |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIXqY&sid=xyHF1bhg3o751MlvAAAS |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIY_V&sid=Wj1yB4oTTgtC46__AAAa |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYE-&sid=VyIpwimzMp-Rct1CAAAU |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYIQ&sid=kTHRhSsBMYKMdLVZAAAV |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIYs4&sid=ZdJIi-VKJ8hF4_viAAAY |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIZqH&sid=cQARiR1Qqmjm8lF2AAAc |
| Method | POST |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234. |
| Instances | 99 |
| Solution |
Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
Expires: 0
This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
|
| Reference |
https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231 https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html |
| CWE Id | 524 |
| WASC Id | 13 |
| Plugin Id | 10049 |
|
Informational |
Trace.axd Information Leak |
|---|---|
| Description |
The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information.
|
| URL | http://localhost:3000/api/Challenges/trace.axd |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 401 Unauthorized |
| Other Info | Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. |
| URL | http://localhost:3000/api/Quantitys/trace.axd |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 403 Forbidden |
| Other Info | Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. |
| URL | http://localhost:3000/ftp/trace.axd |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.1 403 Forbidden |
| Other Info | Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. |
| Instances | 3 |
| Solution |
Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization.
|
| Reference |
https://msdn.microsoft.com/en-us/library/bb386420.aspx
https://msdn.microsoft.com/en-us/library/wwh16c6c.aspx https://www.dotnetperls.com/trace |
| CWE Id | 215 |
| WASC Id | 13 |
| Plugin Id | 40029 |
|
Informational |
User Agent Fuzzer |
|---|---|
| Description |
Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
|
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/i18n |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/assets/public/images/products |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/languages |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdLr |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdvF&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/rest/2fa/verify |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdrS&sid=dnkjh3HQ3JxMOP_OAAA3 |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 |
| Evidence | |
| Other Info | |
| URL | http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PTrIdXu&sid=Pwg5IbWtdeyHitYaAAAx |
| Method | POST |
| Parameter | Header User-Agent |
| Attack | msnbot/1.1 (+http://search.msn.com/msnbot.htm) |
| Evidence | |
| Other Info | |
| Instances | 138 |
| Solution | |
| Reference | https://owasp.org/wstg |
| CWE Id | |
| WASC Id | |
| Plugin Id | 10104 |